Listen to this Post
Introduction:
Syswarden, a powerful open-source security hardening tool, has introduced a critical update for RHEL-family distributions (CentOS Stream, Rocky Linux, AlmaLinux). Starting from version 2.16 (current 2.17), administrators can now bypass Firewalld entirely and directly choose between IPtables (the legacy packet-filtering framework) or NFtables (the modern, high-performance replacement). This shift grants granular control over firewall rules, improves system performance, and aligns with enterprise security policies that demand deterministic rule sets without Firewalld’s abstraction layer.
Learning Objectives:
- Compare Firewalld, IPtables, and NFtables architectures in RHEL environments.
- Configure Syswarden to deploy NFtables rules for low-latency packet filtering.
- Implement persistent firewall rules and IPv4 blocklists using Data-Shield integration.
You Should Know:
- Why Ditch Firewalld? Understanding IPtables vs. NFtables on RHEL
Firewalld provides a dynamic firewall manager with zone-based policies, but it adds overhead and can complicate automation. Syswarden’s latest update lets you switch to either IPtables (classic, linear rule processing) or NFtables (in-kernel virtual machine with better performance and atomic rule updates). On modern RHEL 8/9 systems, NFtables is the default backend, yet Firewalld still sits on top. By removing Firewalld and letting Syswarden manage NFtables directly, you reduce latency and gain full control.
Step‑by‑step guide to disable Firewalld and prepare for Syswarden:
Stop and disable Firewalld sudo systemctl stop firewalld sudo systemctl disable firewalld sudo systemctl mask firewalld Install NFtables (if not present) sudo dnf install nftables -y Enable but do not start nftables yet (Syswarden will manage) sudo systemctl enable nftables Verify that no conflicting rules exist sudo nft list ruleset
To use IPtables instead, install it:
sudo dnf install iptables iptables-services -y sudo systemctl enable iptables
2. Configuring Syswarden to Use NFtables (Performance-First Approach)
Syswarden v2.17 from the Git repository includes configuration flags to select your firewall backend. The default behavior previously forced Firewalld-cmd; now you can override it. This step assumes you have cloned the repo and have the latest release.
Step‑by‑step to set NFtables as the active backend:
Clone the Syswarden repo (if not already) git clone https://github.com/sys-warden/syswarden.git Replace with actual repo from lnkd.in/eSHGHseJ cd syswarden Checkout v2.17 or later git checkout v2.17 Edit the main configuration file (e.g., /etc/syswarden/config or ./config/syswarden.conf) sudo nano /etc/syswarden/syswarden.conf Add or modify these lines: FIREWALL_BACKEND="nftables" ENABLE_BLOCKLISTS="true" BLOCKLIST_SOURCE="https://raw.githubusercontent.com/Data-Shield/ipv4-blocklists/main/full-blocklist.txt" Run Syswarden to apply rules sudo ./syswarden --apply
For IPtables, set FIREWALL_BACKEND="iptables". Syswarden will then generate and apply the appropriate rule sets, bypassing firewalld-cmd completely.
- Crafting Advanced NFtables Rules for Hardening (with Syswarden Integration)
When Syswarden manages NFtables, it typically creates a base table (e.g., inet filter). You can extend its configuration with custom rule snippets. Below are hardened rules to block all inbound except SSH, HTTP/HTTPS, and then integrate Syswarden’s dynamic blocklists.
Step‑by‑step to manually verify and augment NFtables rules:
View current ruleset
sudo nft list ruleset
Create a custom chain for logging dropped packets
sudo nft add chain inet filter input-log { type filter hook input priority -1\; policy accept\; }
sudo nft add rule inet filter input-log log prefix "NFT-DROP: " drop
Allow established/related traffic (must be before drop rules)
sudo nft add rule inet filter input ct state established,related accept
Allow SSH (port 22) – change if needed
sudo nft add rule inet filter input tcp dport 22 accept
Allow HTTP/HTTPS
sudo nft add rule inet filter input tcp dport {80,443} accept
Drop everything else (Syswarden will insert blocklists here)
sudo nft add rule inet filter input drop
Make rules persistent (Syswarden usually handles, but manual save)
sudo nft list ruleset > /etc/nftables.conf
Syswarden can automatically merge its blocklists (Data-Shield IPv4 lists) with your custom rules by reading a template file. Check /etc/syswarden/nft_template.conf.
4. Leveraging IPtables Legacy for Compatibility (Scripted Approach)
If you manage older RHEL 7 systems or require compatibility with legacy tools, the IPtables backend is still robust. Syswarden will output raw iptables commands. Use the following steps to verify and harden.
Step‑by‑step for IPtables hardening with Syswarden:
Set default policies sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT Allow loopback sudo iptables -A INPUT -i lo -j ACCEPT Allow established connections sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Allow SSH sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT Save rules persistently sudo iptables-save > /etc/sysconfig/iptables To restore on boot, ensure iptables service is enabled sudo systemctl enable iptables
Syswarden can append its blocklists using iptables-restore. Configure the backend in `/etc/syswarden/syswarden.conf` with `FIREWALL_BACKEND=”iptables”` and IPTABLES_SAVE_FILE="/etc/sysconfig/iptables".
5. Automating Persistence and Handling Reboots Correctly
One common pitfall after disabling Firewalld is losing firewall rules on reboot. Syswarden v2.17 includes a systemd timer to reapply rules, but you must ensure that no other service conflicts.
Step‑by‑step to automate persistence:
Create a systemd service for Syswarden (if not provided) sudo nano /etc/systemd/system/syswarden.service
Add the following content:
[bash] Description=Syswarden Firewall Manager After=network.target nftables.service Before=network-pre.target [bash] Type=oneshot ExecStart=/usr/local/bin/syswarden --apply RemainAfterExit=yes [bash] WantedBy=multi-user.target
Enable and start the service sudo systemctl daemon-reload sudo systemctl enable syswarden.service sudo systemctl start syswarden.service For NFtables, mask the default nftables service to avoid conflicts sudo systemctl mask nftables For IPtables, mask iptables service sudo systemctl mask iptables
Now Syswarden will apply its rules at boot, and you can manually trigger with sudo systemctl restart syswarden.
6. Testing, Auditing, and Validating Your Firewall Configuration
After applying Syswarden with your chosen backend, verify that rules are active and blocklists function correctly. Use the following commands and tools.
Step‑by‑step audit:
Check NFtables ruleset sudo nft list ruleset | grep -E "drop|reject|blocklist" For IPtables sudo iptables -L -n -v Test connectivity from another machine (replace with your server IP) nmap -sS -p 22,80,443,8080 <your-server-ip> Verify that Syswarden blocklists are loaded (check for large drop sets) sudo nft list set inet filter blocklist_ipv4 Monitor real-time drops sudo nft monitor | grep "NFT-DROP" Log analysis – Syswarden typically logs to /var/log/syswarden.log tail -f /var/log/syswarden.log
If you notice performance issues with IPtables (linear search), migrate to NFtables using Syswarden’s built-in conversion tool (if available): sudo syswarden --convert-to-nft.
7. Integrating Data-Shield IPv4 Blocklists for Proactive Defense
Syswarden’s companion project, Data-Shield, provides curated IPv4 blocklists that can be automatically fetched and applied. This drastically reduces attack surface by dropping traffic from known malicious IP ranges.
Step‑by‑step to enable blocklists:
In syswarden.conf, set: ENABLE_BLOCKLISTS="true" BLOCKLIST_URLS=( "https://raw.githubusercontent.com/Data-Shield/ipv4-blocklists/main/full-blocklist.txt" "https://raw.githubusercontent.com/Data-Shield/ipv4-blocklists/main/ssh-attackers.txt" ) BLOCKLIST_REFRESH_HOURS=6 Create a cron job or systemd timer for updates sudo syswarden --update-blocklists sudo systemctl restart syswarden Verify blocklist size sudo nft list set inet filter blocklist_ipv4 | grep "elements" | wc -l
For IPtables, the blocklist is implemented as a custom chain with many `-s` drop rules. Use `iptables -L INPUT -n | wc -l` to see rule count.
What Undercode Say:
- Flexibility is power: Dropping Firewalld for direct NFtables/IPTables management eliminates abstraction overhead and gives security teams deterministic control—critical for compliance and automation.
- Performance matters: NFtables outperforms IPtables in rule-set atomicity and speed, especially with large blocklists (tens of thousands of IPs). Syswarden’s support for NFtables makes it enterprise-ready.
- Blocklists as a service: Integrating Data-Shield IPv4 lists transforms Syswarden from a mere config tool into a proactive threat intelligence platform, reducing noise from scanners and botnets.
Prediction:
Within 18 months, major RHEL-based security tools will abandon Firewalld as the default abstraction layer, moving to native NFtables management. Syswarden’s approach—letting users choose the backend while offering automated blocklist integration—will become the template for next-gen host firewalls. We anticipate broader adoption of eBPF-based filtering, but NFtables will remain the reliable workhorse. Enterprises currently wrestling with Firewalld’s complexity will accelerate migrations, and Syswarden’s Git-driven update model will set the standard for transparent, auditable security automation.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Laurent Minne – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
